The present invention relates generally to an improved distributed data processing system and in particular to an improved method and apparatus for accessing information in a distributed system.
A directory service is a central point where network services, security services and applications can form an integrated distributed computing environment. Typical uses of a directory service may be classified into several categories. A xe2x80x9cnaming servicexe2x80x9d, such as Directory Naming Service (DNS) or Cell Directory Service (CDS), uses the directory as a source to locate an Internet Host address or the location of a given server. A xe2x80x9cuser registryxe2x80x9d, such as Novell Directory Services (NDS), stores information about users in a system comprised of a number of interconnected machines. Still another directory service is a xe2x80x9cwhite pagesxe2x80x9d lookup provided by some mail clients, such as Netscape Communicator or Lotus Notes.
With more and more applications and system services demanding a central information repository, the next generation directory server will need to provide system administrators with a data repository that can significantly ease administrative burdens. In the Internet/intranet environment, it will be required to provide user access to such information in a secure manner. It will be equally important to provide robust and simple administrative tools to manage the directory content.
Lightweight Directory Access Protocol (LDAP) is a software protocol for providing directory service enablement to a large number of applications. These applications range from e-mail to distributed system management tools. LDAP is an evolving protocol model based on the client-server model in which a client makes a TCP/IP connection to an LDAP server. LDAP is a xe2x80x9clightweightxe2x80x9d version of DAP (Directory Access Protocol), which is part of X.500, a standard for directory services in a network.
The LDAP information model in particular, is based on an xe2x80x9centryxe2x80x9d, which contains information about some object. Entries are typically organized in a specified tree structure, and each entry is composed of attributes. An example LDAP directory is organized in a simple xe2x80x9ctreexe2x80x9d hierarchy consisting of the following levels:
The xe2x80x9crootxe2x80x9d directory is the starting place or the source of the tree.
Countries are designated by two letter codes, such as US for the United States of America.
Organizations can be private companies, government units, and so forth.
Organizational units are divisions, departments, and so forth.
Individuals include people, files, and shared resources such as printers.
LDAP provides a number of known functions for manipulating the data in the information model. These include search, compare, add, delete, and edit. It provides a rich set of searching capability with which users can assemble complex queries to return desired information for later viewing and updating.
An LDAP directory can be distributed among many servers, with parts of data residing on a set of machines. Another scenario has each server containing a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent (DSA). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, either through server chaining or client referrals. Both cases ensure a single coordinated response for the user. Although directory structures can reside on a single server, there are several reasons for splitting directories across multiple machines. First, the directory may be too large to make it practical to store on a single server. Second, network administrators may want to keep the physical location of the server close to the expected clients to minimize network traffic.
A referral is used to show where a parent tree may be located. LDAP provides a mechanism for searching directories and for xe2x80x9cchasingxe2x80x9d referrals. However, the LDAP model does not address issues such as authentication. The LDAP servers contacted while retrieving information must recognize the user registry information.
One approach to solving the authentication problem is to use a client push model, as found in the Distributed Computing Environment (DCE) developed by the Open Group. The user registers with a first server and receives credentials, which include group membership. When accessing resources on a second server, these credentials are presented. The second server either accepts or denies the credentials after verifying their validity through a series of challenges. Windows NT uses a similar client push model.
Another approach to authentication is to define all of the group and user registry information on each machine, as done in a local area network (LAN). Within a domain, each server maintains a copy of authentication information through replication. A separate set of credentials must be maintained for a second domain.
If a directory is distributed over multiple servers, each server must maintain a copy of authentication information, such as group membership. To maintain identical objects in multiple locations uses excess space and leads to administrative problems when changes are made.
Both approaches to solving the authentication problem have drawbacks. Therefore, it would be advantageous to have an improved method that allows any server to use entry and resource information defined on some other LDAP server.
A method, apparatus, and instructions for maintaining authentication information in a distributed network of servers using Lightweight Directory Access Protocol (LDAP) directories is provided. A process generates and maintains a non-local access server list, queries non-local servers using an LDAP search request, caches responses to queries from non-local servers, updates the cached directory entries, and applies an LDAP operation to the cached directory entries and the local access control data. Customizable LDAP search filters can be applied when conducting a search. A variety of techniques are used to update cache information, such as re-querying each server in the non-local access server list after a predetermined time period. When a request to authenticate a user with a distinguished name is received, the cached directory entries and the local access control data are searched for the distinguished name and, once the distinguished name is located, the user is authenticated with each server in the non-local access server list.